Apex One Zero-day Vulnerability

A zero-day vulnerability that was being actively exploited by malicious actors has been patched on the Apex One system and was announced by Trendmicro in a security advisory on Tuesday. Along with it, several other Apex One security vulnerabilities were disclosed that were actively exploited as severely vulnerable scripts were previously found in them. Trend Micro warned customers to patch the Apex One security vulnerability as soon as possible as the vulnerability (CVE-2022-40139) has the capability to allow attackers to execute arbitrary code remotely on systems running unpatched software.

Apex One SaaS is an endpoint security platform that offers companies automated threat detection and response against malicious software, malware, and vulnerabilities. It is known for strong SIEM integration with centralized visibility and augmented security with deployment flexibility through both SaaS and on-premise deployment options. Both delivery systems have been attacked numerous times.

Besides patching the zero-day vulnerability, Apex One also addresses three other high-severity and two medium-severity issues. These vulnerabilities generally cover issues like Origin Validation Error Denial-of-Service, Information Disclosure, Agent Link Following Local Privilege Escalation, and Link Following Local Privilege Escalation, and of those, the Login Authentication Bypass Vulnerability, CVE-2022-40144, is the most serious of them. It can be used to obtain information about a targeted server or to carry out DoS attacks, allowing attackers to bypass authentication by sending specially crafted requests. According to CISA’s Known Exploited Vulnerabilities Catalog, eight other Trend Micro flaws have been exploited in the wild over the last few years. Most of these issues affect Apex products.

As disclosed by the security advisory at Trend Micro, the flaw could allow an Apex One server administrator to instruct affected clients to download an unverified rollback package, which could lead to remote code execution. It was also stated that an attacker must have previously stolen authentication information for the product’s management console in order to exploit this vulnerability, so it is not possible to infiltrate the target network using this vulnerability alone. Trend Micro has patched the other vulnerabilities that may be used for privilege escalation, DoS attacks, and gathering information about a targeted server.

All the vulnerabilities disclosed have been patched in earlier releases for the SaaS product. It is highly recommended that all users install patches right away.